#104: host-portability fold setup owner surface

[loning]

摘要

#104 design-consensus r4 共识(structural,maintainer 发版必含件):把 host setup owner surface fold 进 codex-refactor-loop,实现 host-adaptive GitHub 模板/配置跨项目可移植性。不新增独立 setup skill。

• Old:host-portability 散落,缺统一 HostWorkflowSpec 投影 + host-env 驱动的 release/degradation 适配。
• New:HostWorkflowSpec 七面 data-only 投影贯通 release gate / publisher / preflight / required-checks / degradation;non-admin merge;host-env 驱动 release checks。host 仅通过 host.env + HostWorkflowSpec 接入,无 host 改动权越界。

范围

27 files (+307/-76):release/{gate,publisher,publish_preflight,required_checks}.py + workflow_spec.py + controller_actions.py + degradation.py + SKILL.md/README.md/host.env.example + 配套 tests。本地 release/host-workflow 测试全绿。

Closes #104

🤖 Auto-loop / codex-refactor-loop

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Tests reviewer: reject，缺少两个 fail-closed 分支的行为测试

TL;DR

• 这是什么:PR 363 的 tests 视角独立 review。
• 结论:reject，因为新增 missing_host_required_release_checks 分支只有字面/source 覆盖，没有行为测试真正跑到。
• 下一步:补 release gate 和 publish preflight 两个缺失 host required checks 的 deny-path 测试后可重新 review。

---

详细说明

这次实现把 release required checks 从硬编码默认改成 host env 配置，这是对的，但测试少了两个关键负向路径。Release gate 是发布闸门，会决定是否允许进入 release；publish preflight 是发布前最后一道输入校验。两处都新增了 missing_host_required_release_checks，但当前测试主要把 helper 改成总是写入 HOST_GITHUB_RELEASE_REQUIRED_CHECKS，所以没有证明“host opt-in 为 true 但 check 名为空时必须拦住”。

需要补两类行为测试:第一，RELEASE_AUTO_ENABLE=true 且 GH_REPO_SLUG / REVIEW_BASE_BRANCH / INTEGRATION_BRANCH 都存在，但 HOST_GITHUB_RELEASE_REQUIRED_CHECKS 缺失或为空时，release gate 的 required_checks_recent_green 应该失败并给出 missing_host_required_release_checks。第二，一个 otherwise ready 的 ReleasePublishPreflight.validate() 在 host opt-in true 但 required checks 缺失时必须 deny，并包含同一个 reason。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: tests
verdict: reject
---

## Verdict
Reject: the PR adds new fail-closed release behavior for missing host-required release checks, but does not add behavior tests that exercise those denial paths.

## Evidence
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/gate.py:254` adds a new live release-gate branch where `RELEASE_AUTO_ENABLE=true` and `HOST_GITHUB_RELEASE_REQUIRED_CHECKS` is empty returns `missing_host_required_release_checks`; I found only source/literal coverage for that string, not a behavior test that runs the gate with branch env present and the required-check list absent.
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/publish_preflight.py:230` adds the same fail-closed reason to release publish preflight when `required_release_checks(load_host_env(...))` is empty, but `skills/codex-refactor-loop/scripts/test_release_publish_preflight.py:71` and `:80` update both host opt-in helpers to always include `HOST_GITHUB_RELEASE_REQUIRED_CHECKS`, so the new denial branch is never exercised.
- `skills/codex-refactor-loop/scripts/test_auto_release_gate.py:97` has an explicit host-owned env helper that omits `HOST_GITHUB_RELEASE_REQUIRED_CHECKS`, but the related test at `:845` uses prewritten green fixture signals and only asserts a decision artifact exists. It does not cover the new live `required_checks_recent_green` fail-closed path at `gate.py:254`.

## What would change your verdict
Add behavior tests that prove:
- release gate blocks `required_checks_recent_green` with `missing_host_required_release_checks` when `RELEASE_AUTO_ENABLE=true`, `GH_REPO_SLUG`, `REVIEW_BASE_BRANCH`, and `INTEGRATION_BRANCH` are present, but `HOST_GITHUB_RELEASE_REQUIRED_CHECKS` is absent or empty;
- `ReleasePublishPreflight.validate()` denies with `missing_host_required_release_checks` for an otherwise ready candidate when host opt-in is true but required check names are absent.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:tests:reject

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Quality review approve

TL;DR

• 这是什么: PR #104: host-portability fold setup owner surface #363 的 readability / simplicity / dead-code 角度独立 review。
• 结论: approve, 没看到质量维度 must-fix。
• 下一步: controller 可继续汇总其它 reviewer verdict。

---

详细说明

我按三点看了这轮改动: 命名是否表达业务意图、是否引入多余抽象或死代码、是否有 unrelated cleanup。结论是这次 fold 比较克制: release required checks 只从 host.env 读取, HostWorkflowSpec 只增加 data-only projection, GitHub workflow portability checklist 也折回现有 downstream install / host-owned artifact surface。

具体证据在内部 artifact 里。关键点是没有新增 standalone setup skill, 没有新增第二套 release-check owner, ValidatedWorkflowSpec.projection() 只是序列化已验证数据, controller merge 路径删除 --admin 后也没有把 cleanup / label mutation 逻辑变复杂。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: quality
verdict: approve
---

## Verdict
Approve: the diff keeps the #104 portability fold readable and scoped, with no quality-level dead code, needless abstraction, or unclear naming found.

## Evidence
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/required_checks.py:22` adds `required_release_checks`, a small host-env parser whose business intent is explicit; it is reached by release gate, preflight, publisher, and wrapper callers rather than sitting as unused private code.
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/required_checks.py:105` keeps `ReleaseRequiredChecksProjection` as the existing projection owner and only injects `required_checks`, avoiding a second release-check abstraction or host-specific hardcoded default list.
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:72` names the allowed projection keys directly as `WORKFLOW_PROJECTION_KEYS`, and `ValidatedWorkflowSpec.projection()` at `workflow_spec.py:152` is a straightforward serialization of existing validated data, not a new workflow authority layer.
- `skills/codex-refactor-loop/SKILL.md:187` folds the GitHub workflow portability checklist into the existing downstream install and host-env owner surface; the text names allowed artifacts and forbidden setup actions without creating a standalone setup skill or parallel protocol.
- `skills/codex-refactor-loop/SKILL.md:190` includes the required self-documenting `#104` rationale with readable scope and no `see issue #X` placeholder; this satisfies the self-doc policy for the changed skill contract.
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/controller_actions.py:259` removes the `--admin` merge flag in the existing `merge_pr` path without adding branching or cleanup complexity; the failure path records a blocked-by-host-policy pending event and returns before label/worktree cleanup.
- Modified tests stay focused on the same surfaces: required release checks, workflow projection, host-env matrix, label contract wording, and non-admin merge behavior. I did not find unrelated one-off cleanup or three-plus duplicated snippets that should be extracted.

## What would change your verdict (only if comment or reject)
N/A

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:quality:approve

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Architect review approve

TL;DR

• 这是什么:PR 363 的架构合规复核,按 CLAUDE.md / AGENTS.md 和 [goal] codex-refactor-loop 自适应 host GitHub 模板/配置 — 跨项目可移植性 #104 共识决策检查。
• 结论:architect 角度 approve,没有发现会降低架构合规性的阻塞项。
• 下一步:controller 可把此 reviewer verdict 纳入 review gate 共识计算。

---

详细说明

我核对了三点:一是 #104 没有新增独立 setup skill 或第二套 protocol owner;二是 HostWorkflowSpec 仍然只是七个 data-only surface,不能注入 label / merge / git / executor 等生命周期字段;三是 release required checks 改为由 HOST_GITHUB_RELEASE_REQUIRED_CHECKS 这个 host.env 事实注入,auto-release 缺失时 fail-closed。

controller_actions.py 里的 merge 路径删除了 --admin,失败时只记录 blocked-by-host-policy,没有增加 host branch-protection probe 或绕过路径。整体是收窄 authority,不是放大 controller 权限。

---

📎 完整 codex 原始输出(存档备查)

---

pr: 363
role: architect
verdict: approve

Verdict

approve - no architectural concerns from the CLAUDE.md compliance angle.

Evidence

• No blocking issues found. Scope stays within the [goal] codex-refactor-loop 自适应 host GitHub 模板/配置 — 跨项目可移植性 #104 consensus owner surface: README.md, skills/codex-refactor-loop/SKILL.md, skills/codex-refactor-loop/host.env.example, existing codex-refactor-loop runtime modules, and focused tests. This matches the judge decision to fold setup into the existing skill owner and not add skills/consensus-github-workflow-setup/.
• skills/codex-refactor-loop/SKILL.md:187 documents the folded GitHub workflow portability checklist; skills/codex-refactor-loop/SKILL.md:190 says setup may only fill host-owned .config/consensus-rnd/host.env, repo-relative HOST_WORKFLOW_SPEC, and optional repo-relative bindings; skills/codex-refactor-loop/SKILL.md:198 forbids host .github edits, label/issue/PR mutation, branch-protection probing, git mutation, branch creation, and merge/close side effects. This preserves CLAUDE.md host boundary: "skill 无 host 项目改动权:不修改 host 的 .git 配置 / CI 配置 / policy 文档;只在 host.env 暴露的 surface 上工作."
• skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:72 defines exactly seven projection keys, and workflow_spec.py:152 exports only those data surfaces. Recursive forbidden-field validation at workflow_spec.py:249 still rejects lifecycle/command fields, preserving CLAUDE.md "强类型边界,窄扩展点" and "抽象一旦能被滥用即设计未完成".
• skills/codex-refactor-loop/scripts/codex_refactor_loop/controller_actions.py:259 removes gh pr merge --admin; controller_actions.py:264 records blocked-by-host-policy on merge failure before cleanup. This narrows lifecycle authority rather than adding an escape hatch.
• skills/codex-refactor-loop/scripts/codex_refactor_loop/release/required_checks.py:22 reads required release checks from HOST_GITHUB_RELEASE_REQUIRED_CHECKS; release/gate.py:254 and release/publish_preflight.py:230 fail closed when auto-release lacks host-configured checks. This keeps release facts host-owned and avoids hardcoded downstream check names.
• No new *WriteActor / *ReadActor / *Store split, no new external repo references, no standalone setup skill, no compat shim, and no new root architecture document were introduced in the diff.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:architect:approve

⟦AI:AUTO-LOOP⟧

[loning]

🤖 review-gate r1 — tests reject → fix r2 派出

reviewer	verdict
architect	✅ approve
tests	❌ reject
quality	✅ approve

tests reject:新增的 host-required release checks fail-closed denial 行为缺 behavior test 覆盖 denial 路径。fix r2 须补 denial-path 测试。完成后重派 reviewers。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 PR 363 round 2 fix 已补齐 release fail-closed 行为测试

TL;DR

• 这是什么: fix-codex 针对 round 1 tests reviewer 的唯一 reject 做修复。
• 结论: 已补 2 个行为测试,覆盖 release gate 和 publish preflight 缺少 host required-check names 的拒绝路径。
• 下一步: controller 可提交本轮 diff 并重新派发 review-gate。

---

详细说明

本轮只有 tests reviewer 是 reject, blocking demand 是新增 HOST_GITHUB_RELEASE_REQUIRED_CHECKS 缺失/空值时的 fail-closed 行为测试。AutoReleaseGate.compute_stability() 是 release gate 的稳定性计算入口;现在测试会在 RELEASE_AUTO_ENABLE=true 且 GH_REPO_SLUG、REVIEW_BASE_BRANCH、INTEGRATION_BRANCH 都存在时,分别覆盖 required-check env 缺失和空字符串,断言 required_checks_recent_green 返回 missing_host_required_release_checks,并且不会继续调用 GitHub Checks API。

ReleasePublishPreflight.validate() 是 controller 发布 release 前的授权检查入口;现在新增 otherwise-ready candidate 的负向测试,只移除 host required-check names,断言唯一拒绝原因就是 missing_host_required_release_checks。验证已跑: BUILD_CMD=true 通过,TEST_CMD=python3 -m unittest discover -s skills/codex-refactor-loop/scripts -p 'test_*.py' 通过 946 tests, skipped=1。

---

📎 完整 codex 原始输出(存档备查)

# Fix report for PR 363 round 2

## Applied
- (A) skills/codex-refactor-loop/scripts/test_release_gate_module.py:193: added a live `AutoReleaseGate.compute_stability()` behavior test for `RELEASE_AUTO_ENABLE=true` with branch env present and `HOST_GITHUB_RELEASE_REQUIRED_CHECKS` absent or empty; it asserts `required_checks_recent_green` fails closed with `missing_host_required_release_checks` and does not call the Checks API. (addresses reviewer:tests evidence #1 and #3)
- (A) skills/codex-refactor-loop/scripts/test_release_publish_preflight.py:80 and skills/codex-refactor-loop/scripts/test_release_publish_preflight.py:226: added a host-env fixture for auto-release opt-in without required check names and an otherwise-ready `ReleasePublishPreflight.validate()` denial test; it asserts the only denial reason is `missing_host_required_release_checks`. (addresses reviewer:tests evidence #2)

## Rejected as false positive
- None.

## Blocked (cannot fix this round)
- None.

## Build status
- build: pass (`bash -lc "$BUILD_CMD"`; `BUILD_CMD=true`)
- tests: pass (`bash -lc "$TEST_CMD"`; 946 tests, skipped=1)
- targeted tests: pass (`python3 -m unittest skills/codex-refactor-loop/scripts/test_release_gate_module.py`; 16 tests) and pass (`python3 -m unittest skills/codex-refactor-loop/scripts/test_release_publish_preflight.py`; 20 tests)

## Recommendation for next round
- expect unanimous; the only reject demand was missing behavior coverage for the new fail-closed release required-check paths, and both requested denial paths now have direct tests.

⟦AI:AUTO-LOOP⟧
FIX_DONE:363:round-2:applied-2:rejected-0:blocked-0

⟦AI:AUTO-LOOP⟧

[loning]

🤖 fix r2 完成 → reviewers r2 派出

FIX_DONE:363 round-2 applied-2:已补 host-required release checks fail-closed denial-path behavior tests(消除 tests reviewer r1 reject)。新 HEAD 434f8f4,3 reviewer r2 重审。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Quality review: comment

TL;DR

• 这是什么: PR 363 的 code quality 独立审查。
• 结论: comment, 没有发现必须阻塞合并的复杂度、死代码或范围漂移问题。
• 下一步: 建议作者清理 2 个小的 public surface 命名/冗余点。

---

详细说明

整体可读性是可以接受的,改动范围也贴合 #104 host-portability。两个点值得收口: gate.REQUIRED_CHECKS 现在是一个函数别名,但全大写名字看起来像不可变常量;ValidatedWorkflowSpec.as_dict() 只是 projection() 的薄别名,当前没有调用方。这里的 public surface 指模块对外暴露的名字,后续测试和脚本容易把它当契约使用。

这些是质量建议,不是行为阻塞。修法也很小:把 callable 别名改成动词/函数名,或者直接调用 required_release_checks;删掉 as_dict() 或补一行兼容性说明。

---

📎 完整 codex 原始输出(存档备查)

---

pr: 363
role: quality
verdict: comment

Verdict

Comment: the PR is focused and readable overall, but two small public-surface naming/clarity issues are worth fixing before this settles into the release API vocabulary.

Evidence

• skills/codex-refactor-loop/scripts/codex_refactor_loop/release/gate.py:53 exports REQUIRED_CHECKS = required_release_checks, so an all-caps name that reads like an immutable tuple is now a callable parser. The new test at skills/codex-refactor-loop/scripts/test_release_gate_module.py:353 calls it as a function, which confirms this is not just an internal implementation detail. This is misleading naming on a public module surface.
• skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:193 adds ValidatedWorkflowSpec.as_dict() as a thin alias for projection(), but I found no caller in the PR diff or current tree. Since projection() is the business name used by the new tests, the alias is dead public surface unless there is a documented external compatibility reason.

What would change your verdict

Rename gate.REQUIRED_CHECKS to a callable name such as required_checks_for_env or stop re-exporting it and call required_release_checks directly in tests. Delete ValidatedWorkflowSpec.as_dict() unless an existing external caller requires that compatibility alias, in which case add a short comment explaining the compatibility contract.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:quality:comment

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Tests review r2: approve

TL;DR

• 这是什么: PR #104: host-portability fold setup owner surface #363 的 tests 视角复审结果。
• 结论: approve, round 2 已补上 host required checks 缺失时的 release gate / publish preflight fail-closed 行为测试。
• 下一步: controller 可按 review truth table 继续收敛,本角色没有 must-fix 阻塞。

---

详细说明

这轮重点看了新增生产逻辑是否有真实行为测试,不是只靠 source string 或 fixture 存在。test_release_gate_module.py 覆盖了 RELEASE_AUTO_ENABLE=true 但 HOST_GITHUB_RELEASE_REQUIRED_CHECKS 缺失/为空时的 live gate 拒绝,并断言不会继续查 GitHub check-runs。test_release_publish_preflight.py 覆盖了同样的 preflight 拒绝,且断言这是唯一剩余拒绝原因。

其他 host-portability 面也有对应测试: workflow spec projection 断言只有 7 个 data-only surface 且不含 lifecycle/command 字段, controller merge 测试断言不再使用 --admin 并在 host policy 阻塞时不做 cleanup side effect。机械扫描未发现新增 skip/manual、sleep/delay pacing 或明显弱化断言。Focused unittest 子集 105 tests OK。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: tests
verdict: approve
---

## Verdict
Approve: round 2 adds concrete behavior and source-regression coverage for the host-portability changes, including the previously missing fail-closed release paths.

## Evidence
- `skills/codex-refactor-loop/scripts/test_release_gate_module.py:193` exercises live release-gate behavior with `RELEASE_AUTO_ENABLE=true` and missing/empty `HOST_GITHUB_RELEASE_REQUIRED_CHECKS`; it asserts the gate is not ready, the signal source is `host.env`, the reason is `required_checks_recent_green:missing_host_required_release_checks`, and no `gh api` check-run query is made.
- `skills/codex-refactor-loop/scripts/test_release_publish_preflight.py:226` covers the matching publish-preflight denial for otherwise ready release artifacts when host required checks are absent; it asserts `missing_host_required_release_checks` is the only remaining denial reason.
- `skills/codex-refactor-loop/scripts/test_required_release_checks.py:136` verifies the new required-check parser reads only `HOST_GITHUB_RELEASE_REQUIRED_CHECKS` and ignores legacy `REQUIRED_RELEASE_CHECKS`, which directly covers the host-owned surface migration.
- `skills/codex-refactor-loop/scripts/test_host_workflow_spec.py:105` validates the workflow projection emits exactly the seven data-only surfaces and excludes lifecycle/command fields such as `labels`, `merge`, `executor`, and `git`.
- `skills/codex-refactor-loop/scripts/test_controller_actions.py:266` covers the non-admin merge path and host-policy block behavior by asserting `gh pr merge` is called without `--admin`, no cleanup side effects happen after a merge failure, and a pending event records `blocked-by-host-policy`.
- Mechanical scan of the PR test diff found no added skip/manual markers, no added sleep/delay pacing, and no obvious assertion loosening. Focused verification passed: `python3 -m unittest skills/codex-refactor-loop/scripts/test_release_gate_module.py skills/codex-refactor-loop/scripts/test_release_publish_preflight.py skills/codex-refactor-loop/scripts/test_required_release_checks.py skills/codex-refactor-loop/scripts/test_host_workflow_spec.py skills/codex-refactor-loop/scripts/test_controller_actions.py skills/codex-refactor-loop/scripts/test_release_publisher.py` ran 105 tests OK.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:tests:approve

⟦AI:AUTO-LOOP⟧

[loning]

🤖 architect r2 reject: release required-check contract has a stale fact source

TL;DR

• 这是什么:PR #104: host-portability fold setup owner surface #363 的 architecture compliance review。
• 结论:reject, 主体方向对,但 SKILL.md/source-regression 仍把本仓库三项 check 写成 release-gate 必需项。
• 需要作者做什么:把 stale 文案和 marker 改成 $HOST_GITHUB_RELEASE_REQUIRED_CHECKS 是唯一来源,三项 check 只作为本仓库 host.env.example 示例。

---

详细说明

PR 已经把 runtime 路径改成 host-env 驱动,这是 #104 的正确方向:release gate 和 publisher 读取 HOST_GITHUB_RELEASE_REQUIRED_CHECKS,空值在 auto-release 时 fail closed。

问题是 contract surface 没同步干净。skills/codex-refactor-loop/SKILL.md:322 仍写着 release gate 需要 skill-degradation 搭配 contract-tests / manifest-version-sync;checks/degradation.py:117-125 的 source-regression marker 也继续锁这句。这样同一个 release-gate 约束同时有两个事实源:新 runtime 说 host.env 决定,旧 SKILL/source-regression 说固定三项决定。按 CLAUDE.md 的「事实源唯一」和「行为变更必须配套 behavior test + source-regression test」,这是 blocking architecture regression。

修法很小:把 Skill degradation source-repo validation 段和 degradation checker marker 改成 release required-check names come from $HOST_GITHUB_RELEASE_REQUIRED_CHECKS;本仓库的 contract-tests,manifest-version-sync,skill-degradation 只保留为 dogfood host.env.example 值。现有 runtime behavior tests 不需要反向退回。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: architect
verdict: reject
---

## Verdict
reject - the PR correctly moves release required checks to host.env in runtime paths, but leaves a stale SKILL/source-regression contract that still requires this repository's old three check names.

## Evidence
- `skills/codex-refactor-loop/SKILL.md:260` now says release stability reads every name in `$HOST_GITHUB_RELEASE_REQUIRED_CHECKS`, but `skills/codex-refactor-loop/SKILL.md:322` still says "`consensus-rnd-cli release-gate` requires it beside `contract-tests` and `manifest-version-sync`." That creates two live facts for the same release-gate requirement. PROJECT_RULES clause: "事实源唯一:同一约束禁止在多处平行声明。版本号 -> `.version-bump.json`;host 运行时事实 -> `host.env`;skill 行为 -> 该 skill 的 SKILL.md 与 `scripts/test_*.py`。"
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/checks/degradation.py:117-125` still locks the old source-regression marker `release gate ... requires skill-degradation`, while the new behavior in `release/required_checks.py` and `release/gate.py` deliberately uses `HOST_GITHUB_RELEASE_REQUIRED_CHECKS`. This means the source-regression guard now preserves the stale repo-specific rule instead of the new host-owned rule. PROJECT_RULES clause: "行为变更必须配套 **behavior test**(断言行为本身)+ **source-regression test**(对 SKILL.md 段落标题、narrow allowlist 字面、授权来源 path 等做字面断言),防止\"改文档没改实现\"或反之。"

## What would change your verdict
Update the Skill degradation source-repo validation paragraph and its source-regression marker to say that release-gate required check names come from `$HOST_GITHUB_RELEASE_REQUIRED_CHECKS`, with this repo's `contract-tests,manifest-version-sync,skill-degradation` only as the dogfood `host.env.example` value. Keep the behavior tests that prove runtime callers do not treat those three names as universal defaults.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:architect:reject

⟦AI:AUTO-LOOP⟧

[loning]

🤖 fix r3 派出(解冲突 + architect reject)

architect r2 reject(陈旧 SKILL/source-regression 仍要求旧三 check 名)+ PR 与 auto-refact-dev CONFLICTING。fix r3 codex 一并:解 SKILL.md/test_skill_reference_anchors.py merge 冲突 + 将 required-checks 契约改为 host.env-driven。完成后 controller commit/push,重派 reviewers r3。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 fix r3 完成 + rebase → reviewers r3

#363(#104 host-portability)fix r3(applied-2):解 SKILL.md/test_skill_reference_anchors merge 冲突 + 将 release required-checks 契约改为 host.env-driven(消除 architect r2 reject 的陈旧旧三 check 名)。已 rebase 到含 #344 的新 auto-refact-dev(无冲突,146 tests 绿)。reviewer r3 重审。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 架构审查通过：#104 owner surface 没有越界

TL;DR

• 这是什么: PR #104: host-portability fold setup owner surface #363 的 architect/CLAUDE.md compliance 独立审查。
• 结论: approve, 没有发现新增或恶化的架构边界违规。
• 下一步: controller 可把该角色 verdict 纳入 review-gate 共识计算。

---

详细说明

从架构边界看,这次改动把 GitHub workflow portability 折回 codex-refactor-loop 既有 owner surface,没有新增 standalone setup skill 或第二套协议 owner。HostWorkflowSpec 仍是七个 data-only projection surface,并递归拒绝 command / lifecycle 字段。

release required checks 改为 host.env 注入的 $HOST_GITHUB_RELEASE_REQUIRED_CHECKS;当 RELEASE_AUTO_ENABLE=true 且缺失/为空时 fail closed。merge_pr 也去掉了 --admin,失败时记录 host-policy-blocked pending event,没有绕过 host policy。

---

📎 完整 codex 原始输出(存档备查)

---

pr: 363
role: architect
verdict: approve

Verdict

approve: no architectural compliance concerns from the CLAUDE.md/AGENTS.md angle.

Evidence

• README.md:59 keeps downstream setup centralized in the existing codex-refactor-loop walkthrough and points host GitHub portability to the folded checklist, matching CLAUDE.md "单一主干,插件扩展" and "边界清晰,职责分层".
• skills/codex-refactor-loop/SKILL.md:190 states [goal] codex-refactor-loop 自适应 host GitHub 模板/配置 — 跨项目可移植性 #104 setup is folded into the existing owner surface and must not create a standalone setup skill or second protocol owner, matching CLAUDE.md "单一主干,插件扩展:每个 skill 一条权威主链路;新能力以子模块/脚本挂载,禁止平行第二系统。"
• skills/codex-refactor-loop/SKILL.md:192-198 bounds allowed host artifacts to host-owned .config/consensus-rnd/host.env, one repo-relative HostWorkflowSpec JSON, and optional repo-relative prompt/body bindings, while forbidding host .github edits, label mutation, issue/PR mutation, branch-protection probing/edits, git mutation, branch creation, and merge/close side effects. This preserves CLAUDE.md "host 项目...skill 无 host 项目改动权" and ".refactor-loop/ is skill-private runtime/cache/log state only".
• skills/codex-refactor-loop/SKILL.md:101 and :273 move release required check names to $HOST_GITHUB_RELEASE_REQUIRED_CHECKS and fail closed when auto-release is enabled without them, matching CLAUDE.md "host 运行时事实 → host.env" and "不在红信号上发版".
• skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:72-80 and :152-194 expose exactly the seven documented data-only HostWorkflowSpec projection surfaces; :249-257 rejects command/lifecycle fields recursively, and :423-447 enforces host: names plus repo-relative prompt paths. This keeps host workflow extension data-only and avoids lifecycle authority expansion.
• skills/codex-refactor-loop/scripts/codex_refactor_loop/controller_actions.py:259 removes --admin from PR merge and :264-266 records host-policy-blocked merge failures instead of bypassing them, which is directionally compliant with host production boundaries.
• skills/codex-refactor-loop/scripts/test_skill_reference_anchors.py:333-380 source-regression locks the folded checklist, absence of a standalone setup skill, and forbidden new protocol-owner names; targeted behavior tests for HostWorkflowSpec and host-required release checks passed locally.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:architect:approve

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Tests review: reject, standalone release-required-checks 缺失空配置覆盖

TL;DR

• 这是什么: PR 363 的 tests 角度独立 review。
• 结论: reject, 高层 release gate/preflight 有空配置测试, 但 public release-required-checks CLI/default projection 路径没有。
• 需要 controller 下一步: 补上 standalone CLI/default projection 对空 HOST_GITHUB_RELEASE_REQUIRED_CHECKS fail-closed 的行为测试后再进下一轮。

---

详细说明

这次改动把 release required checks 从硬编码迁到 host.env 的 HOST_GITHUB_RELEASE_REQUIRED_CHECKS。高层 AutoReleaseGate 和 ReleasePublishPreflight 已经测试了缺失/空配置会 fail closed, 但 release-required-checks 是一个 public CLI, 也是 .github/workflows/release.yml 直接调用的路径。当前测试只在 projection 测试里显式传入 FIXTURE_RELEASE_CHECKS, 没有覆盖默认从环境读取为空时的业务结果。

风险点是: 默认 projection 的 required check 列表为空时, required-check 循环不会跑, reason=None, 结果会变成 passed。这个路径需要自己的行为测试, 断言空/缺失 HOST_GITHUB_RELEASE_REQUIRED_CHECKS 不会被当作 release required checks 通过。

---

📎 完整 codex 原始输出(存档备查)

---

pr: 363
role: tests
verdict: reject

Verdict

Reject: the net-new host-configured release required-check surface lacks direct coverage for the standalone release-required-checks / default projection path when the host check list is empty.

Evidence

• skills/codex-refactor-loop/scripts/codex_refactor_loop/release/required_checks.py:118 now defaults ReleaseRequiredChecksProjection.required_checks from HOST_GITHUB_RELEASE_REQUIRED_CHECKS; at required_checks.py:185-218, an empty tuple means the required-check loop is skipped and passed=True; required_checks.py:281-304 exposes that through the public release-required-checks CLI without an empty-list guard.
• .github/workflows/release.yml:29-34 invokes that public CLI directly, but the workflow does not inject HOST_GITHUB_RELEASE_REQUIRED_CHECKS, so this is not just an internal helper path.
• skills/codex-refactor-loop/scripts/test_required_release_checks.py:56-141 always passes FIXTURE_RELEASE_CHECKS for projection behavior tests; the only new parser test checks env parsing and legacy-key rejection, not the business outcome for missing/empty HOST_GITHUB_RELEASE_REQUIRED_CHECKS.
• skills/codex-refactor-loop/scripts/test_release_gate_module.py:193-228 and skills/codex-refactor-loop/scripts/test_release_publish_preflight.py:226-238 cover higher-level fail-closed behavior, but they do not cover the standalone CLI/default projection path used by the release workflow.

What would change your verdict

Add behavior coverage in test_required_release_checks.py for omitted and empty HOST_GITHUB_RELEASE_REQUIRED_CHECKS through the default projection and/or main() path, asserting it fails closed instead of passing with zero required checks. A small source-regression assertion that the CLI path contains the empty-host-check guard would also be appropriate because this is a release safety invariant.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:tests:reject

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Quality review: comment

TL;DR

• 这是什么:PR #104: host-portability fold setup owner surface #363 的 readability / simplicity 角度独立 review。
• 结论:comment,整体可读且聚焦,只有一个小的未使用 public wrapper 建议清掉。
• 下一步:controller 可按 advisory comment 继续;作者可选择删掉 as_dict() 或补兼容理由。

---

详细说明

我只看到一个质量层面的 nit:workflow_spec.py:193 新增的 ValidatedWorkflowSpec.as_dict() 没有调用点,而同一个类已经有 projection() 作为被测试和使用的 API。两个名字返回同一份数据会增加后续维护者要理解的表面积,但这不是合并阻塞问题。

建议删除 as_dict() 保留 projection(),或者补一个具体调用方 / 兼容说明来证明双入口是有意的。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: quality
verdict: comment
---

## Verdict
Comment: the PR is readable and focused overall, but one new wrapper method looks like unused public surface.

## Evidence
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:193`: `ValidatedWorkflowSpec.as_dict()` is newly introduced but has no caller in the PR branch; `projection()` is the exercised API (`test_host_workflow_spec.py` calls `spec.projection()`), so this wrapper adds a second name for the same behavior without a compatibility note.

## What would change your verdict (only if comment or reject)
Delete `as_dict()` and keep `projection()` as the single API, or add a concrete caller / compatibility comment that explains why both names must exist.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:quality:comment

⟦AI:AUTO-LOOP⟧

[loning]

📊 当前状态 — Consensus-rnd Phase review-gate r3 → FIX(❌ 不需要人介入)

#363(#104)r3:architect approve、tests reject(缺 empty/missing HOST_GITHUB_RELEASE_REQUIRED_CHECKS default-projection 业务行为测试)、quality comment。已 rebase 到含 #345 的 ard,fix r4 派出补该 behavior test。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 fix r4 完成 → reviewers r4

#363(#104)fix r4 applied-1:补 missing/empty HOST_GITHUB_RELEASE_REQUIRED_CHECKS default-projection behavior test(消除 tests r3 reject)。reviewer r4 重审(architect r3 已 approve)。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Quality review: 一个小的 dead public surface

TL;DR

• 这是什么: 我按 readability / simplicity 角度审了 PR 363。
• 结论: comment, 整体可读且聚焦, 但有一个新增 public alias 看起来没有调用方。
• 下一步: 建议删掉 ValidatedWorkflowSpec.as_dict() 或补上真实调用方/说明。

---

详细说明

skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:193 新增了 ValidatedWorkflowSpec.as_dict(), 但当前分支里没有调用方。新增测试直接覆盖的是 projection(), 文档和测试也都围绕 host workflow projection 这个业务词展开。

这不是 merge blocker, 但从质量角度看, projection() 已经是更清楚的业务命名 API。再加一个泛化的 as_dict() 会扩大 public surface, 读代码的人会多一个问题: 两个序列化入口是不是有不同语义? 如果没有, 删除更简单。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: quality
verdict: comment
---

## Verdict
Comment: the PR is focused and readable overall, but it introduces one tiny public alias that appears unused and makes the workflow-spec surface wider than needed.

## Evidence
- skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:193 adds `ValidatedWorkflowSpec.as_dict()` as a public method, but the branch has no caller for it; the new behavior test exercises `projection()` directly, and `git grep` only finds this method declaration. Because `projection()` is already the business-named API for the seven host workflow surfaces, the alias reads like dead public surface rather than an intentional caller contract.
- skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:152 keeps the actual serializer under `projection()`, whose name matches the host workflow projection vocabulary used by the docs and tests. I did not find naming, complexity, duplication, or self-doc-comment issues elsewhere in the touched runtime files.

## What would change your verdict (only if comment or reject)
Delete `ValidatedWorkflowSpec.as_dict()` unless a real caller needs the generic serialization convention; if keeping it, add a direct caller or a short comment/test that explains why both `projection()` and `as_dict()` are intentional public surfaces.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:quality:comment

⟦AI:AUTO-LOOP⟧

[loning]

🤖 架构审查 r4：comment-only，可合并但建议删掉空兼容别名

TL;DR

• 这是什么:PR #104: host-portability fold setup owner surface #363 的 architect 角度审查结果。
• 结论:不发现会阻断合并的 CLAUDE/AGENTS 架构违规，verdict=comment。
• 下一步:controller 可继续按 review-gate 真值表推进；作者可顺手处理 REQUIRED_RELEASE_CHECKS 空兼容别名。

---

详细说明

从架构边界看，这个 PR 把 #104 setup 收回 codex-refactor-loop 现有 owner surface，没有新增独立 setup skill，也没有把 host .github、branch protection、label/issue/PR 生命周期、git mutation 等 host production authority 放进 .refactor-loop。HostWorkflowSpec 是 host 通过 HOST_WORKFLOW_SPEC 指向的 repo-relative JSON，只做 data-only 投影；WorkflowInvariantValidator 会拒绝 command/git/label/merge 等生命周期字段。

我只留一个 comment: REQUIRED_RELEASE_CHECKS 现在变成导出的空 compatibility alias，而新事实源已经是 required_release_checks() + $HOST_GITHUB_RELEASE_REQUIRED_CHECKS。这不构成阻断，因为 runtime path 已改用 host-env 配置并在缺失时 fail closed；但按「删除优先」条款，空兼容壳最好删除，或者明确成 narrow legacy-read/migration surface 并加 source-regression 锁住。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: architect
verdict: comment
---

## Verdict
comment-only: architecture is mergeable from my angle, with one deletion-first cleanup note on the retained empty release-check compatibility alias.

## Evidence
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/required_checks.py:16`: the PR converts `REQUIRED_RELEASE_CHECKS` into an exported empty "Compatibility alias only" while the new owner surface is `required_release_checks()` / `$HOST_GITHUB_RELEASE_REQUIRED_CHECKS`. This is minor but touches the deletion-first clause: "废弃 skill、deprecated wrapper、`*.bak/*.old/*.deprecated` 直接删除,不保留兼容空壳;历史由 git 与 CHANGELOG 保留。" It is not a blocking architecture violation because runtime callers in this diff use `required_release_checks()` and the projection fails closed when host checks are missing.
- `skills/codex-refactor-loop/SKILL.md:71`, `skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:21`, and `skills/codex-refactor-loop/scripts/codex_refactor_loop/workflow_spec.py:222`: the HostWorkflowSpec expansion remains data-only, repo-relative, host-namespaced, and rejects lifecycle/command fields before validation. That matches the host boundary clauses: "host 运行时事实 → `host.env`" and "skill 间通过 `host.env` + 文件 artifact + GitHub API 等稳定边界协作,不耦合彼此内部脚本".
- `skills/codex-refactor-loop/SKILL.md:168` and `skills/codex-refactor-loop/SKILL.md:176`: #104 setup is folded into the existing owner surface and explicitly forbids host `.github`, label, issue/PR, branch-protection, git, merge/close, tag/release, and lifecycle mutation. That does not introduce a second setup skill or move host production authority into `.refactor-loop`.
- `skills/codex-refactor-loop/scripts/codex_refactor_loop/controller_actions.py:259`: removing `--admin` from `gh pr merge` narrows controller authority and records blocked host-policy merge failures at line 265; this is aligned with "最小权限动作".
- `skills/codex-refactor-loop/SKILL.md:101`, `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/gate.py:254`, `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/publish_preflight.py:230`, and `skills/codex-refactor-loop/scripts/codex_refactor_loop/release/publisher.py:272`: release required check names now come from host.env and fail closed when auto-release is enabled without configured checks. This stays within the existing release-publication allowlist and host runtime fact injection model.

## What would change your verdict
Delete the public `REQUIRED_RELEASE_CHECKS` compatibility alias/export if there are no live consumers, or document it as a narrow legacy-read/migration surface with source-regression coverage if it must remain temporarily.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:architect:comment

⟦AI:AUTO-LOOP⟧

[loning]

🤖 测试视角 r4 通过

TL;DR

• 这是什么: PR #104: host-portability fold setup owner surface #363 的 tests reviewer r4 独立结论。
• 结论: approve, 新增逻辑有对应行为测试和 source-regression 锚点。
• 需要 maintainer 做什么: 不需要因测试覆盖阻塞, controller 可继续后续 gate。

---

详细说明

我按 tests 角度检查了 host-configured release checks、HostWorkflowSpec projection、non-admin merge failure reporting、folded setup 文档锚点这些改动面。新增测试不是只测“没抛异常”: 它们断言 fail-closed reason、不会调用 gh api、不会写 lifecycle cleanup、projection 不含 labels/assignees/spawn/merge 等字段。

我也在 detached PR-head worktree .worktrees/review-pr363-tests 跑了目标测试: 252 tests passed, 33.293s。git diff --check origin/auto-refact-dev...HEAD 也通过。主 checkout 上的全量 discovery 有既有/环境相关失败,未作为本 PR 证据。

---

📎 完整 codex 原始输出(存档备查)

---
pr: 363
role: tests
verdict: approve
---

## Verdict
Approve: the changed runtime surfaces have behavior coverage plus source-regression anchors, and I did not find test-quality regressions in the PR diff.

## Evidence
- `skills/codex-refactor-loop/scripts/test_required_release_checks.py:136` covers `required_release_checks()` parsing only the host-owned `HOST_GITHUB_RELEASE_REQUIRED_CHECKS` key, and `:143` covers the default projection failing closed without calling `gh api` when the host list is missing or empty.
- `skills/codex-refactor-loop/scripts/test_release_gate_module.py:193` covers the live release gate fail-closed path for auto-release without host required checks and asserts no Checks API polling occurs.
- `skills/codex-refactor-loop/scripts/test_release_publish_preflight.py:226` covers publish preflight denial when auto-release lacks host required checks, with no unrelated denial reasons.
- `skills/codex-refactor-loop/scripts/test_release_publisher.py:319` and `:334` keep the exact-SHA check gate behavior covered after host-configured required checks are injected into `ReleaseRequiredChecksProjection`.
- `skills/codex-refactor-loop/scripts/test_host_workflow_spec.py:105` covers the new seven-key `ValidatedWorkflowSpec.projection()` surface and asserts lifecycle/command fields are absent from the projected data.
- `skills/codex-refactor-loop/scripts/test_wakeup_plan.py:1084` and `skills/codex-refactor-loop/scripts/test_package_triage.py:238` assert host workflow/status projections stay no-lifecycle-authority and do not grow label/assignee/spawn/merge fields.
- `skills/codex-refactor-loop/scripts/test_controller_actions.py:266` covers the new non-admin merge failure path: it attempts `gh pr merge --squash --delete-branch`, records `blocked-by-host-policy`, and skips cleanup/recent-merge writes on failure.
- Source-regression coverage was updated in `test_skill_reference_anchors.py`, `test_check_skill_degradation.py`, `test_host_env_surface_matrix.py`, `test_label_contract_source.py`, and `test_source_publication_boundary.py` for the folded setup surface, host-configurable release checks, and loop-owned label language.
- I found no added `sleep`/`time.sleep` test pacing, no added skips/manual traits, no weakened assertions in touched tests, and no mock-only tests that merely verify a call without asserting the business outcome.
- Targeted PR-head verification passed: `python3 -m unittest skills/codex-refactor-loop/scripts/test_host_workflow_spec.py skills/codex-refactor-loop/scripts/test_required_release_checks.py skills/codex-refactor-loop/scripts/test_release_gate_module.py skills/codex-refactor-loop/scripts/test_release_publish_preflight.py skills/codex-refactor-loop/scripts/test_release_publisher.py skills/codex-refactor-loop/scripts/test_controller_actions.py skills/codex-refactor-loop/scripts/test_controller_lib_label_helper.py skills/codex-refactor-loop/scripts/test_host_env_surface_matrix.py skills/codex-refactor-loop/scripts/test_skill_reference_anchors.py skills/codex-refactor-loop/scripts/test_wakeup_plan.py skills/codex-refactor-loop/scripts/test_package_triage.py` from detached PR-head worktree `.worktrees/review-pr363-tests` ran 252 tests in 33.293s and passed. `git diff --check origin/auto-refact-dev...HEAD` also passed there.

## What would change your verdict (only if comment or reject)
N/A.

⟦AI:AUTO-LOOP⟧
REVIEW_DONE:363:tests:approve

⟦AI:AUTO-LOOP⟧

[loning]

🤖 review-gate 共识 MERGE_WITH_COMMENTS

#363(#104 host-portability,beta.6 必含件)tests approve + architect/quality comment(advisory)+ 0 reject + CI 全绿 → 合并到 auto-refact-dev。comment 反馈作后续 advisory。

⟦AI:AUTO-LOOP⟧